{ "version": "2.0", "source": "VulnerabilityRegistry v2 (100 types) + XBOW benchmark insights", "vulnerability_types": { "xss_reflected": { "title": "Reflected Cross-Site Scripting (XSS)", "severity": "medium", "cwe_id": "CWE-79", "description": "Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser.", "impact": "An attacker can execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, capturing credentials, or performing actions on behalf of the user.", "remediation": "1. Encode all user input when rendering in HTML context\n2. Use Content-Security-Policy headers\n3. Set HttpOnly flag on sensitive cookies\n4. Use modern frameworks with auto-escaping", "has_tester": true, "false_positive_markers": [ "<", ">", "&", "Content-Security-Policy" ] }, "xss_stored": { "title": "Stored Cross-Site Scripting (XSS)", "severity": "high", "cwe_id": "CWE-79", "description": "Stored XSS occurs when malicious script is permanently stored on the target server, such as in a database, message forum, visitor log, or comment field.", "impact": "All users who view the affected page will execute the malicious script, leading to mass credential theft, session hijacking, or malware distribution.", "remediation": "1. Sanitize and validate all user input before storage\n2. Encode output when rendering\n3. Implement Content-Security-Policy\n4. Use HttpOnly and Secure flags on cookies", "has_tester": true, "false_positive_markers": [ "<", ">", "sanitized" ] }, "xss_dom": { "title": "DOM-based Cross-Site Scripting", "severity": "medium", "cwe_id": "CWE-79", "description": "DOM-based XSS occurs when client-side JavaScript processes user input and writes it to the DOM in an unsafe way.", "impact": "Attacker can execute JavaScript in the user's browser through malicious links or user interaction.", "remediation": "1. Avoid using dangerous DOM sinks (innerHTML, eval, document.write)\n2. Use textContent instead of innerHTML\n3. Sanitize user input on the client side\n4. Implement CSP with strict policies", "has_tester": true, "false_positive_markers": [] }, "sqli_error": { "title": "Error-based SQL Injection", "severity": "critical", "cwe_id": "CWE-89", "description": "SQL injection vulnerability that reveals database errors containing query information, allowing attackers to extract data through error messages.", "impact": "Complete database compromise including data theft, modification, or deletion. May lead to remote code execution on the database server.", "remediation": "1. Use parameterized queries/prepared statements\n2. Implement input validation with whitelist approach\n3. Apply least privilege principle for database accounts\n4. Disable detailed error messages in production", "has_tester": true, "false_positive_markers": [ "parameterized", "prepared statement", "PDO" ] }, "sqli_union": { "title": "Union-based SQL Injection", "severity": "critical", "cwe_id": "CWE-89", "description": "SQL injection allowing UNION-based queries to extract data from other database tables.", "impact": "Full database extraction capability. Attacker can read all database tables, users, and potentially escalate to RCE.", "remediation": "1. Use parameterized queries exclusively\n2. Implement strict input validation\n3. Use stored procedures where appropriate\n4. Monitor for unusual query patterns", "has_tester": true, "false_positive_markers": [] }, "sqli_blind": { "title": "Blind SQL Injection (Boolean-based)", "severity": "high", "cwe_id": "CWE-89", "description": "SQL injection where results are inferred from application behavior changes rather than direct output.", "impact": "Slower but complete data extraction is possible. Can lead to full database compromise.", "remediation": "1. Use parameterized queries\n2. Implement WAF rules for SQL injection patterns\n3. Use connection pooling with timeout limits\n4. Implement query logging and monitoring", "has_tester": true, "false_positive_markers": [] }, "sqli_time": { "title": "Time-based Blind SQL Injection", "severity": "high", "cwe_id": "CWE-89", "description": "SQL injection where attacker can infer information based on time delays in responses.", "impact": "Complete data extraction possible, though slower. Can determine database structure and content.", "remediation": "1. Use parameterized queries\n2. Set strict query timeout limits\n3. Monitor for anomalously slow queries\n4. Implement rate limiting", "has_tester": true, "false_positive_markers": [] }, "command_injection": { "title": "OS Command Injection", "severity": "critical", "cwe_id": "CWE-78", "description": "Application passes unsafe user-supplied data to a system shell, allowing execution of arbitrary OS commands.", "impact": "Complete system compromise. Attacker can execute any command with the application's privileges, potentially gaining full server access.", "remediation": "1. Avoid shell commands; use native library functions\n2. If shell required, use strict whitelist validation\n3. Never pass user input directly to shell\n4. Run with minimal privileges, use containers", "has_tester": true, "false_positive_markers": [ "escapeshellarg", "escapeshellcmd" ] }, "ssti": { "title": "Server-Side Template Injection", "severity": "critical", "cwe_id": "CWE-94", "description": "User input is unsafely embedded into server-side templates, allowing template code execution.", "impact": "Often leads to remote code execution. Attacker can read files, execute commands, and compromise the server.", "remediation": "1. Never pass user input to template engines\n2. Use logic-less templates when possible\n3. Implement sandbox environments for templates\n4. Validate and sanitize all template inputs", "has_tester": true, "false_positive_markers": [ "autoescape", "sandbox" ] }, "nosql_injection": { "title": "NoSQL Injection", "severity": "high", "cwe_id": "CWE-943", "description": "Injection attack targeting NoSQL databases like MongoDB through operator injection.", "impact": "Authentication bypass, data theft, and potential server compromise depending on database configuration.", "remediation": "1. Validate and sanitize all user input\n2. Use parameterized queries where available\n3. Disable server-side JavaScript execution\n4. Apply strict typing to query parameters", "has_tester": true, "false_positive_markers": [] }, "lfi": { "title": "Local File Inclusion", "severity": "high", "cwe_id": "CWE-98", "description": "Application includes local files based on user input, allowing access to sensitive files.", "impact": "Read sensitive configuration files, source code, and potentially achieve code execution via log poisoning.", "remediation": "1. Avoid dynamic file inclusion\n2. Use whitelist of allowed files\n3. Validate and sanitize file paths\n4. Implement proper access controls", "has_tester": true, "false_positive_markers": [ "open_basedir", "chroot", "permission denied" ] }, "rfi": { "title": "Remote File Inclusion", "severity": "critical", "cwe_id": "CWE-98", "description": "Application includes remote files, allowing execution of attacker-controlled code.", "impact": "Direct remote code execution. Complete server compromise.", "remediation": "1. Disable allow_url_include in PHP\n2. Use whitelists for file inclusion\n3. Never use user input in include paths\n4. Implement strict input validation", "has_tester": true, "false_positive_markers": [] }, "path_traversal": { "title": "Path Traversal", "severity": "high", "cwe_id": "CWE-22", "description": "Application allows navigation outside intended directory through ../ sequences.", "impact": "Access to sensitive files outside web root, including configuration files and source code.", "remediation": "1. Validate and sanitize file paths\n2. Use basename() to strip directory components\n3. Implement chroot or containerization\n4. Use whitelist of allowed directories", "has_tester": true, "false_positive_markers": [] }, "xxe": { "title": "XML External Entity Injection", "severity": "high", "cwe_id": "CWE-611", "description": "XML parser processes external entity references, allowing file access or SSRF.", "impact": "Read local files, perform SSRF attacks, and potentially achieve denial of service.", "remediation": "1. Disable external entity processing\n2. Use JSON instead of XML where possible\n3. Validate and sanitize XML input\n4. Use updated XML parsers with secure defaults", "has_tester": true, "false_positive_markers": [ "disableExternalEntities", "FEATURE_EXTERNAL" ] }, "file_upload": { "title": "Arbitrary File Upload", "severity": "high", "cwe_id": "CWE-434", "description": "Application allows uploading of dangerous file types that can be executed.", "impact": "Upload of web shells leading to remote code execution and complete server compromise.", "remediation": "1. Validate file type using magic bytes\n2. Rename uploaded files\n3. Store outside web root\n4. Disable execution in upload directory", "has_tester": true, "false_positive_markers": [] }, "ssrf": { "title": "Server-Side Request Forgery", "severity": "high", "cwe_id": "CWE-918", "description": "Application makes requests to attacker-specified URLs, accessing internal resources.", "impact": "Access to internal services, cloud metadata, and potential for pivoting to internal networks.", "remediation": "1. Implement URL whitelist\n2. Block requests to internal IPs\n3. Disable unnecessary URL schemes\n4. Use network segmentation", "has_tester": true, "false_positive_markers": [ "blocked", "denied", "filtered" ] }, "ssrf_cloud": { "title": "SSRF to Cloud Metadata", "severity": "critical", "cwe_id": "CWE-918", "description": "SSRF vulnerability allowing access to cloud provider metadata services.", "impact": "Credential theft, full cloud account compromise, lateral movement in cloud infrastructure.", "remediation": "1. Block requests to metadata IPs\n2. Use IMDSv2 (AWS) or equivalent\n3. Implement strict URL validation\n4. Use firewall rules for metadata endpoints", "has_tester": true, "false_positive_markers": [] }, "csrf": { "title": "Cross-Site Request Forgery", "severity": "medium", "cwe_id": "CWE-352", "description": "Application allows state-changing requests without proper origin validation.", "impact": "Attacker can perform actions as authenticated users, including transfers, password changes, or data modification.", "remediation": "1. Implement anti-CSRF tokens\n2. Verify Origin/Referer headers\n3. Use SameSite cookie attribute\n4. Require re-authentication for sensitive actions", "has_tester": true, "false_positive_markers": [ "csrf_token", "_token", "authenticity_token" ] }, "auth_bypass": { "title": "Authentication Bypass", "severity": "critical", "cwe_id": "CWE-287", "description": "Authentication mechanisms can be bypassed through various techniques.", "impact": "Complete unauthorized access to user accounts and protected resources.", "remediation": "1. Implement proper authentication checks on all routes\n2. Use proven authentication frameworks\n3. Implement account lockout\n4. Use MFA for sensitive accounts", "has_tester": true, "false_positive_markers": [] }, "jwt_manipulation": { "title": "JWT Token Manipulation", "severity": "high", "cwe_id": "CWE-347", "description": "JWT implementation vulnerabilities allowing token forgery or manipulation.", "impact": "Authentication bypass, privilege escalation, and identity impersonation.", "remediation": "1. Always verify JWT signatures\n2. Use strong signing algorithms (RS256)\n3. Validate all claims including exp and iss\n4. Implement token refresh mechanisms", "has_tester": true, "false_positive_markers": [] }, "session_fixation": { "title": "Session Fixation", "severity": "medium", "cwe_id": "CWE-384", "description": "Application accepts session tokens from URL parameters or doesn't regenerate after login.", "impact": "Attacker can hijack user sessions by fixing known session IDs.", "remediation": "1. Regenerate session ID after login\n2. Only accept session from cookies\n3. Implement secure session management\n4. Use short session timeouts", "has_tester": true, "false_positive_markers": [] }, "idor": { "title": "Insecure Direct Object Reference", "severity": "high", "cwe_id": "CWE-639", "description": "Application exposes internal object IDs without proper authorization checks.", "impact": "Unauthorized access to other users' data, potentially exposing sensitive information.", "remediation": "1. Implement proper authorization checks\n2. Use indirect references or UUIDs\n3. Validate user ownership of resources\n4. Implement access control lists", "has_tester": true, "false_positive_markers": [] }, "bola": { "title": "Broken Object Level Authorization", "severity": "high", "cwe_id": "CWE-639", "description": "API endpoints don't properly validate object-level permissions.", "impact": "Access to any object by manipulating IDs, leading to mass data exposure.", "remediation": "1. Implement object-level authorization\n2. Validate permissions on every request\n3. Use authorization middleware\n4. Log and monitor access patterns", "has_tester": true, "false_positive_markers": [] }, "privilege_escalation": { "title": "Privilege Escalation", "severity": "critical", "cwe_id": "CWE-269", "description": "User can elevate privileges to access higher-level functionality.", "impact": "User can gain admin access, access to all data, and full system control.", "remediation": "1. Implement role-based access control\n2. Validate roles on every request\n3. Use principle of least privilege\n4. Monitor for privilege escalation attempts", "has_tester": true, "false_positive_markers": [] }, "cors_misconfig": { "title": "CORS Misconfiguration", "severity": "medium", "cwe_id": "CWE-942", "description": "Overly permissive CORS policy allows cross-origin requests from untrusted domains.", "impact": "Cross-origin data theft and unauthorized API access from malicious websites.", "remediation": "1. Implement strict origin whitelist\n2. Avoid Access-Control-Allow-Origin: *\n3. Validate Origin header server-side\n4. Don't reflect Origin without validation", "has_tester": true, "false_positive_markers": [ "Vary: Origin" ] }, "clickjacking": { "title": "Clickjacking", "severity": "medium", "cwe_id": "CWE-1021", "description": "Application can be framed by malicious pages, tricking users into clicking hidden elements.", "impact": "Users can be tricked into performing unintended actions like transfers or permission grants.", "remediation": "1. Set X-Frame-Options: DENY\n2. Implement frame-ancestors CSP directive\n3. Use JavaScript frame-busting as backup\n4. Require confirmation for sensitive actions", "has_tester": true, "false_positive_markers": [] }, "open_redirect": { "title": "Open Redirect", "severity": "low", "cwe_id": "CWE-601", "description": "Application redirects to user-specified URLs without validation.", "impact": "Phishing attacks using trusted domain, credential theft, and reputation damage.", "remediation": "1. Use whitelist for redirect destinations\n2. Validate redirect URLs server-side\n3. Don't use user input directly in redirects\n4. Warn users before redirecting externally", "has_tester": true, "false_positive_markers": [] }, "security_headers": { "title": "Missing Security Headers", "severity": "low", "cwe_id": "CWE-693", "description": "Application doesn't set important security headers like CSP, HSTS, X-Frame-Options.", "impact": "Increased risk of XSS, clickjacking, and MITM attacks.", "remediation": "1. Implement Content-Security-Policy\n2. Enable Strict-Transport-Security\n3. Set X-Frame-Options and X-Content-Type-Options\n4. Configure Referrer-Policy", "has_tester": true, "false_positive_markers": [] }, "ssl_issues": { "title": "SSL/TLS Configuration Issues", "severity": "medium", "cwe_id": "CWE-326", "description": "Weak SSL/TLS configuration including outdated protocols or weak ciphers.", "impact": "Traffic interception, credential theft, and man-in-the-middle attacks.", "remediation": "1. Disable SSLv3, TLS 1.0, TLS 1.1\n2. Use strong cipher suites only\n3. Enable HSTS with preload\n4. Implement certificate pinning for mobile apps", "has_tester": true, "false_positive_markers": [] }, "http_methods": { "title": "Dangerous HTTP Methods Enabled", "severity": "low", "cwe_id": "CWE-749", "description": "Server allows potentially dangerous HTTP methods like TRACE, PUT, DELETE without proper restrictions.", "impact": "Potential for XST attacks, unauthorized file uploads, or resource manipulation.", "remediation": "1. Disable unnecessary HTTP methods\n2. Configure web server to reject TRACE/TRACK\n3. Implement proper authorization for PUT/DELETE\n4. Use web application firewall", "has_tester": true, "false_positive_markers": [] }, "race_condition": { "title": "Race Condition", "severity": "medium", "cwe_id": "CWE-362", "description": "Application has race conditions that can be exploited through concurrent requests.", "impact": "Double-spending, bypassing limits, or corrupting data through timing attacks.", "remediation": "1. Implement proper locking mechanisms\n2. Use atomic database operations\n3. Implement idempotency keys\n4. Add proper synchronization", "has_tester": false, "false_positive_markers": [] }, "business_logic": { "title": "Business Logic Vulnerability", "severity": "varies", "cwe_id": "CWE-840", "description": "Flaw in application's business logic allowing unintended behavior.", "impact": "Varies based on specific flaw - could range from minor to critical impact.", "remediation": "1. Review business logic flows\n2. Implement comprehensive validation\n3. Add server-side checks for all rules\n4. Test edge cases and negative scenarios", "has_tester": false, "false_positive_markers": [] }, "ldap_injection": { "title": "LDAP Injection", "severity": "high", "cwe_id": "CWE-90", "description": "User input injected into LDAP queries allowing directory enumeration or auth bypass.", "impact": "Directory enumeration, authentication bypass, data extraction from LDAP stores.", "remediation": "1. Escape LDAP special characters\n2. Use parameterized LDAP queries\n3. Validate input against whitelist\n4. Apply least privilege to LDAP accounts", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "xpath_injection": { "title": "XPath Injection", "severity": "high", "cwe_id": "CWE-643", "description": "User input injected into XPath queries manipulating XML data retrieval.", "impact": "Extraction of XML data, authentication bypass via XPath condition manipulation.", "remediation": "1. Use parameterized XPath queries\n2. Validate and sanitize input\n3. Avoid string concatenation in XPath\n4. Limit XPath query privileges", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "graphql_injection": { "title": "GraphQL Injection", "severity": "high", "cwe_id": "CWE-89", "description": "Injection attacks targeting GraphQL endpoints through malicious queries or variables.", "impact": "Schema exposure, unauthorized data access, denial of service via complex queries.", "remediation": "1. Disable introspection in production\n2. Implement query depth/complexity limits\n3. Use persisted queries\n4. Apply field-level authorization", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "crlf_injection": { "title": "CRLF Injection / HTTP Response Splitting", "severity": "medium", "cwe_id": "CWE-93", "description": "Injection of CRLF characters to manipulate HTTP response headers or split responses.", "impact": "HTTP header injection, session fixation via Set-Cookie, XSS via response splitting.", "remediation": "1. Strip \\r\\n from user input in headers\n2. Use framework header-setting functions\n3. Validate header values\n4. Implement WAF rules for CRLF patterns", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "header_injection": { "title": "HTTP Header Injection", "severity": "medium", "cwe_id": "CWE-113", "description": "User input reflected in HTTP headers enabling header manipulation.", "impact": "Password reset poisoning, cache poisoning, access control bypass via header manipulation.", "remediation": "1. Validate Host header against whitelist\n2. Don't use Host header for URL generation\n3. Strip CRLF from header values\n4. Use absolute URLs for sensitive operations", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "email_injection": { "title": "Email Header Injection", "severity": "medium", "cwe_id": "CWE-93", "description": "Injection of email headers through form fields that feed into mail functions.", "impact": "Spam relay, phishing via injected CC/BCC recipients, email content manipulation.", "remediation": "1. Validate email addresses strictly\n2. Strip CRLF from email inputs\n3. Use email library APIs not raw headers\n4. Implement rate limiting on email features", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "expression_language_injection": { "title": "Expression Language Injection", "severity": "critical", "cwe_id": "CWE-917", "description": "Injection of EL/SpEL/OGNL expressions evaluated server-side in Java applications.", "impact": "Remote code execution, server compromise, data exfiltration via expression evaluation.", "remediation": "1. Disable EL evaluation on user input\n2. Use strict sandboxing\n3. Update frameworks (Struts2 OGNL patches)\n4. Validate input before template rendering", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "log_injection": { "title": "Log Injection / Log4Shell", "severity": "high", "cwe_id": "CWE-117", "description": "Injection into application logs enabling log forging or JNDI-based RCE (Log4Shell).", "impact": "Log tampering, JNDI-based RCE (Log4Shell), log analysis tool exploitation.", "remediation": "1. Strip newlines from log input\n2. Update Log4j to 2.17+ (CVE-2021-44228)\n3. Disable JNDI lookups\n4. Use structured logging", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "html_injection": { "title": "HTML Injection", "severity": "medium", "cwe_id": "CWE-79", "description": "Injection of HTML markup into web pages without script execution.", "impact": "Content spoofing, phishing form injection, defacement, link manipulation.", "remediation": "1. HTML-encode all user output\n2. Use Content-Security-Policy\n3. Implement output encoding libraries\n4. Sanitize HTML with whitelist approach", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "csv_injection": { "title": "CSV/Formula Injection", "severity": "medium", "cwe_id": "CWE-1236", "description": "Injection of spreadsheet formulas into data exported as CSV/Excel.", "impact": "Code execution when CSV opened in Excel, DDE attacks, data exfiltration via formulas.", "remediation": "1. Prefix cells starting with =,+,-,@ with single quote\n2. Sanitize formula characters\n3. Use safe CSV export libraries\n4. Warn users about untrusted CSV files", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "orm_injection": { "title": "ORM Injection", "severity": "high", "cwe_id": "CWE-89", "description": "Injection through ORM query builders via operator injection or raw query manipulation.", "impact": "Data extraction, authentication bypass through ORM filter manipulation.", "remediation": "1. Use ORM built-in parameter binding\n2. Avoid raw queries with user input\n3. Validate filter operators\n4. Use field-level whitelists", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "blind_xss": { "title": "Blind Cross-Site Scripting", "severity": "high", "cwe_id": "CWE-79", "description": "XSS payload stored and executed in backend/admin context not visible to the attacker.", "impact": "Admin session hijacking, backend system compromise, persistent access to admin panels.", "remediation": "1. Sanitize all input regardless of display context\n2. Implement CSP on admin panels\n3. Use HttpOnly cookies\n4. Review admin panel input rendering", "has_tester": true, "false_positive_markers": [ "<", ">", "Content-Security-Policy" ] }, "mutation_xss": { "title": "Mutation XSS (mXSS)", "severity": "high", "cwe_id": "CWE-79", "description": "XSS via browser HTML mutation where sanitized HTML changes to executable form after DOM processing.", "impact": "Bypasses HTML sanitizers, executes JavaScript through browser parsing quirks.", "remediation": "1. Update DOMPurify/sanitizers\n2. Use textContent not innerHTML\n3. Avoid innerHTML re-serialization\n4. Test with multiple browsers", "has_tester": true, "false_positive_markers": [ "<", ">", "Content-Security-Policy" ] }, "arbitrary_file_read": { "title": "Arbitrary File Read", "severity": "high", "cwe_id": "CWE-22", "description": "Reading arbitrary files via API or download endpoints outside intended scope.", "impact": "Access to credentials, configuration, source code, private keys.", "remediation": "1. Validate file paths against whitelist\n2. Use chroot/jail\n3. Implement proper access controls\n4. Avoid user input in file paths", "has_tester": true, "false_positive_markers": [ "403", "Forbidden", "Access Denied" ] }, "arbitrary_file_delete": { "title": "Arbitrary File Delete", "severity": "high", "cwe_id": "CWE-22", "description": "Deleting arbitrary files through path traversal in delete operations.", "impact": "Denial of service, security bypass by deleting .htaccess/config, data destruction.", "remediation": "1. Validate file paths strictly\n2. Use indirect references\n3. Implement soft-delete\n4. Restrict delete operations to specific directories", "has_tester": true, "false_positive_markers": [ "403", "Forbidden", "Access Denied" ] }, "zip_slip": { "title": "Zip Slip (Archive Path Traversal)", "severity": "high", "cwe_id": "CWE-22", "description": "Path traversal via crafted archive filenames writing files outside extraction directory.", "impact": "Arbitrary file write, web shell deployment, configuration overwrite.", "remediation": "1. Validate archive entry names\n2. Resolve and check extraction paths\n3. Use secure archive extraction libraries\n4. Extract to isolated directories", "has_tester": true, "false_positive_markers": [] }, "weak_password": { "title": "Weak Password Policy", "severity": "medium", "cwe_id": "CWE-521", "description": "Application accepts weak passwords that can be easily guessed or brute-forced.", "impact": "Account compromise through password guessing, credential stuffing success.", "remediation": "1. Enforce minimum 8+ character passwords\n2. Check against breached password databases\n3. Implement password strength meter\n4. Follow NIST SP 800-63B guidelines", "has_tester": true, "false_positive_markers": [] }, "default_credentials": { "title": "Default Credentials", "severity": "critical", "cwe_id": "CWE-798", "description": "Application or service uses default factory credentials that haven't been changed.", "impact": "Complete unauthorized access to admin or management interfaces.", "remediation": "1. Force password change on first login\n2. Remove default accounts\n3. Implement strong default password generation\n4. Regular credential audits", "has_tester": true, "false_positive_markers": [] }, "brute_force": { "title": "Brute Force Vulnerability", "severity": "medium", "cwe_id": "CWE-307", "description": "Login endpoint lacks rate limiting or account lockout allowing unlimited password attempts.", "impact": "Account compromise through automated password guessing.", "remediation": "1. Implement account lockout after N failures\n2. Add rate limiting per IP and per account\n3. Implement CAPTCHA after failures\n4. Use progressive delays", "has_tester": true, "false_positive_markers": [] }, "two_factor_bypass": { "title": "Two-Factor Authentication Bypass", "severity": "high", "cwe_id": "CWE-287", "description": "Second authentication factor can be bypassed through implementation flaws.", "impact": "Account takeover even when 2FA is enabled, defeating the purpose of MFA.", "remediation": "1. Enforce 2FA check on all authenticated routes\n2. Use server-side session state for 2FA completion\n3. Rate limit code attempts\n4. Make codes single-use with short expiry", "has_tester": true, "false_positive_markers": [] }, "oauth_misconfiguration": { "title": "OAuth Misconfiguration", "severity": "high", "cwe_id": "CWE-601", "description": "OAuth implementation flaws allowing redirect URI manipulation, state bypass, or token theft.", "impact": "Account takeover via stolen OAuth tokens, cross-site request forgery.", "remediation": "1. Strictly validate redirect_uri\n2. Require and validate state parameter\n3. Use PKCE for public clients\n4. Validate all OAuth scopes", "has_tester": true, "false_positive_markers": [ "401", "login required" ] }, "bfla": { "title": "Broken Function Level Authorization", "severity": "high", "cwe_id": "CWE-285", "description": "Admin API functions accessible to regular users without proper role checks.", "impact": "Privilege escalation to admin functionality, system configuration changes.", "remediation": "1. Implement role-based access control on all endpoints\n2. Deny by default\n3. Centralize authorization logic\n4. Audit all admin endpoints", "has_tester": true, "false_positive_markers": [] }, "mass_assignment": { "title": "Mass Assignment", "severity": "high", "cwe_id": "CWE-915", "description": "Application binds user-supplied data to internal model fields without filtering.", "impact": "Privilege escalation, data manipulation, bypassing business rules.", "remediation": "1. Use explicit field whitelists\n2. Implement DTOs for input\n3. Validate all bound fields\n4. Use strong parameter filtering", "has_tester": true, "false_positive_markers": [] }, "forced_browsing": { "title": "Forced Browsing / Broken Access Control", "severity": "medium", "cwe_id": "CWE-425", "description": "Direct URL access to restricted resources that should require authorization.", "impact": "Access to admin panels, sensitive files, debug interfaces, and internal tools.", "remediation": "1. Implement authentication on all protected routes\n2. Return 404 instead of 403 for sensitive paths\n3. Remove unnecessary files\n4. Use web server access controls", "has_tester": true, "false_positive_markers": [] }, "dom_clobbering": { "title": "DOM Clobbering", "severity": "medium", "cwe_id": "CWE-79", "description": "HTML injection that overrides JavaScript DOM properties through named elements.", "impact": "JavaScript logic bypass, potential XSS through clobbered variables.", "remediation": "1. Use strict variable declarations (const/let)\n2. Avoid global variable references\n3. Use safe DOM APIs\n4. Sanitize HTML input", "has_tester": true, "false_positive_markers": [] }, "postmessage_vulnerability": { "title": "postMessage Vulnerability", "severity": "medium", "cwe_id": "CWE-346", "description": "postMessage handlers that don't validate message origin allowing cross-origin data injection.", "impact": "Cross-origin data injection, XSS via injected data, sensitive data exfiltration.", "remediation": "1. Always validate event.origin\n2. Validate message data structure\n3. Use specific target origins\n4. Minimize data sent via postMessage", "has_tester": true, "false_positive_markers": [] }, "websocket_hijacking": { "title": "Cross-Site WebSocket Hijacking", "severity": "high", "cwe_id": "CWE-1385", "description": "WebSocket endpoints accepting connections from arbitrary origins without validation.", "impact": "Real-time data theft, message injection, session hijacking via WebSocket.", "remediation": "1. Validate Origin header on WebSocket upgrade\n2. Require authentication per-message\n3. Implement CSRF protection for handshake\n4. Use WSS (encrypted)", "has_tester": true, "false_positive_markers": [] }, "prototype_pollution": { "title": "Prototype Pollution", "severity": "high", "cwe_id": "CWE-1321", "description": "Injection of properties into JavaScript Object.prototype through merge/extend operations.", "impact": "Authentication bypass, RCE via gadget chains, denial of service.", "remediation": "1. Freeze Object.prototype\n2. Sanitize __proto__ and constructor keys\n3. Use Map instead of plain objects\n4. Update vulnerable libraries", "has_tester": true, "false_positive_markers": [] }, "css_injection": { "title": "CSS Injection", "severity": "medium", "cwe_id": "CWE-79", "description": "Injection of CSS code through user input reflected in style contexts.", "impact": "Data exfiltration via CSS selectors, UI manipulation, phishing.", "remediation": "1. Sanitize CSS properties\n2. Use CSP style-src\n3. Avoid user input in style attributes\n4. Whitelist safe CSS properties", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "tabnabbing": { "title": "Reverse Tabnabbing", "severity": "low", "cwe_id": "CWE-1022", "description": "Links with target=_blank without rel=noopener allowing opener tab navigation.", "impact": "Phishing via original tab replacement with fake login page.", "remediation": "1. Add rel='noopener noreferrer' to target=_blank links\n2. Use frameworks that add it automatically\n3. Audit user-generated links", "has_tester": true, "false_positive_markers": [] }, "directory_listing": { "title": "Directory Listing Enabled", "severity": "low", "cwe_id": "CWE-548", "description": "Web server auto-indexing enabled exposing directory file structure.", "impact": "Exposure of file structure, sensitive files, backup files, and configuration.", "remediation": "1. Disable directory listing (Options -Indexes)\n2. Add index files to all directories\n3. Review web server configuration\n4. Use custom error pages", "has_tester": true, "false_positive_markers": [] }, "debug_mode": { "title": "Debug Mode Enabled", "severity": "high", "cwe_id": "CWE-489", "description": "Application running in debug/development mode in production.", "impact": "Source code exposure, interactive console access, credential disclosure.", "remediation": "1. Disable debug mode in production\n2. Use environment-specific configuration\n3. Implement custom error pages\n4. Remove debug endpoints", "has_tester": true, "false_positive_markers": [] }, "exposed_admin_panel": { "title": "Exposed Administration Panel", "severity": "medium", "cwe_id": "CWE-200", "description": "Admin panel accessible from public internet without IP restrictions.", "impact": "Brute force target, credential theft, administration access if default creds.", "remediation": "1. Restrict admin access by IP/VPN\n2. Use strong authentication + 2FA\n3. Change default admin paths\n4. Implement rate limiting", "has_tester": true, "false_positive_markers": [] }, "exposed_api_docs": { "title": "Exposed API Documentation", "severity": "low", "cwe_id": "CWE-200", "description": "API documentation (Swagger/OpenAPI/GraphQL playground) publicly accessible.", "impact": "Complete API endpoint mapping, parameter discovery, potential unauthorized access.", "remediation": "1. Disable API docs in production\n2. Require authentication for docs\n3. Disable GraphQL introspection\n4. Use API gateway access controls", "has_tester": true, "false_positive_markers": [] }, "insecure_cookie_flags": { "title": "Insecure Cookie Configuration", "severity": "medium", "cwe_id": "CWE-614", "description": "Session cookies missing security flags (Secure, HttpOnly, SameSite).", "impact": "Cookie theft via XSS (no HttpOnly), MITM (no Secure), CSRF (no SameSite).", "remediation": "1. Set HttpOnly on session cookies\n2. Set Secure flag on HTTPS sites\n3. Set SameSite=Lax or Strict\n4. Review all cookie configurations", "has_tester": true, "false_positive_markers": [] }, "http_smuggling": { "title": "HTTP Request Smuggling", "severity": "high", "cwe_id": "CWE-444", "description": "Discrepancy between front-end and back-end HTTP parsing enabling request smuggling.", "impact": "Cache poisoning, request hijacking, authentication bypass, response queue poisoning.", "remediation": "1. Use HTTP/2 end-to-end\n2. Normalize Content-Length/Transfer-Encoding\n3. Reject ambiguous requests\n4. Update proxy/server software", "has_tester": true, "false_positive_markers": [] }, "cache_poisoning": { "title": "Web Cache Poisoning", "severity": "high", "cwe_id": "CWE-444", "description": "Manipulation of cached responses via unkeyed inputs to serve malicious content.", "impact": "Mass XSS via cached responses, redirect poisoning, denial of service.", "remediation": "1. Include all inputs in cache key\n2. Validate unkeyed headers\n3. Use Vary header correctly\n4. Implement cache key normalization", "has_tester": true, "false_positive_markers": [] }, "rate_limit_bypass": { "title": "Rate Limit Bypass", "severity": "medium", "cwe_id": "CWE-770", "description": "Rate limiting can be bypassed through header manipulation or request variation.", "impact": "Enables brute force attacks, API abuse, and denial of service.", "remediation": "1. Rate limit by authenticated user, not just IP\n2. Don't trust X-Forwarded-For for rate limiting\n3. Implement at multiple layers\n4. Use sliding window algorithms", "has_tester": true, "false_positive_markers": [] }, "parameter_pollution": { "title": "HTTP Parameter Pollution", "severity": "medium", "cwe_id": "CWE-235", "description": "Duplicate parameters exploit parsing differences between front-end and back-end.", "impact": "WAF bypass, logic bypass, access control circumvention.", "remediation": "1. Normalize parameters server-side\n2. Reject duplicate parameters\n3. Use consistent parsing\n4. Test with duplicate params", "has_tester": true, "false_positive_markers": [] }, "type_juggling": { "title": "Type Juggling / Type Coercion", "severity": "high", "cwe_id": "CWE-843", "description": "Loose type comparison exploited to bypass authentication or security checks.", "impact": "Authentication bypass, security check circumvention via type confusion.", "remediation": "1. Use strict comparison (=== in PHP/JS)\n2. Validate input types\n3. Use strong typing\n4. Hash comparison with timing-safe functions", "has_tester": true, "false_positive_markers": [] }, "insecure_deserialization": { "title": "Insecure Deserialization", "severity": "critical", "cwe_id": "CWE-502", "description": "Untrusted data deserialized without validation enabling code execution.", "impact": "Remote code execution, denial of service, authentication bypass.", "remediation": "1. Don't deserialize untrusted data\n2. Use JSON instead of native serialization\n3. Implement integrity checks\n4. Restrict deserialization types", "has_tester": true, "false_positive_markers": [] }, "subdomain_takeover": { "title": "Subdomain Takeover", "severity": "high", "cwe_id": "CWE-284", "description": "Dangling DNS records pointing to unclaimed cloud resources.", "impact": "Domain impersonation, phishing, cookie theft, authentication bypass.", "remediation": "1. Audit DNS records regularly\n2. Remove dangling CNAME records\n3. Monitor cloud resource lifecycle\n4. Use DNS monitoring tools", "has_tester": true, "false_positive_markers": [] }, "host_header_injection": { "title": "Host Header Injection", "severity": "medium", "cwe_id": "CWE-644", "description": "Host header value used in URL generation enabling poisoning attacks.", "impact": "Password reset poisoning, cache poisoning, SSRF via Host header.", "remediation": "1. Validate Host against allowed values\n2. Use absolute URLs from configuration\n3. Don't use Host header for URL generation\n4. Implement ALLOWED_HOSTS", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "timing_attack": { "title": "Timing Attack", "severity": "medium", "cwe_id": "CWE-208", "description": "Response time variations leak information about valid usernames or secret values.", "impact": "Username enumeration, token/password character extraction.", "remediation": "1. Use constant-time comparison for secrets\n2. Normalize response times\n3. Add random delays\n4. Use same code path for valid/invalid input", "has_tester": true, "false_positive_markers": [] }, "improper_error_handling": { "title": "Improper Error Handling", "severity": "low", "cwe_id": "CWE-209", "description": "Verbose error messages disclosing internal information in production.", "impact": "Source path disclosure, database details, technology stack exposure aiding further attacks.", "remediation": "1. Use custom error pages in production\n2. Log errors server-side only\n3. Return generic error messages\n4. Disable debug/stack trace output", "has_tester": true, "false_positive_markers": [] }, "sensitive_data_exposure": { "title": "Sensitive Data Exposure", "severity": "high", "cwe_id": "CWE-200", "description": "Sensitive data (PII, credentials, tokens) exposed in responses, URLs, or storage.", "impact": "Identity theft, account compromise, regulatory violations (GDPR, HIPAA).", "remediation": "1. Minimize data in API responses\n2. Encrypt sensitive data at rest/transit\n3. Remove sensitive data from URLs\n4. Implement data classification", "has_tester": true, "false_positive_markers": [] }, "information_disclosure": { "title": "Information Disclosure", "severity": "low", "cwe_id": "CWE-200", "description": "Unintended exposure of internal details: versions, paths, technology stack.", "impact": "Aids further attacks with technology-specific exploits and internal knowledge.", "remediation": "1. Remove version headers\n2. Disable directory listing\n3. Remove HTML comments\n4. Secure .git and config files", "has_tester": true, "false_positive_markers": [] }, "api_key_exposure": { "title": "API Key Exposure", "severity": "high", "cwe_id": "CWE-798", "description": "API keys or secrets hardcoded in client-side code or public files.", "impact": "Unauthorized API access, financial impact, data breach via exposed keys.", "remediation": "1. Use environment variables for secrets\n2. Implement key rotation\n3. Use backend proxy for API calls\n4. Monitor key usage for anomalies", "has_tester": true, "false_positive_markers": [] }, "source_code_disclosure": { "title": "Source Code Disclosure", "severity": "high", "cwe_id": "CWE-540", "description": "Application source code accessible through misconfigured servers, backups, or VCS exposure.", "impact": "White-box attack surface, credential discovery, vulnerability identification.", "remediation": "1. Block .git, .svn access\n2. Remove source maps in production\n3. Delete backup files\n4. Configure web server to block sensitive extensions", "has_tester": true, "false_positive_markers": [] }, "backup_file_exposure": { "title": "Backup File Exposure", "severity": "high", "cwe_id": "CWE-530", "description": "Backup files, database dumps, or archives accessible from web server.", "impact": "Full source code access, database contents including credentials.", "remediation": "1. Store backups outside web root\n2. Remove old backup files\n3. Block backup extensions in web server\n4. Encrypt backup files", "has_tester": true, "false_positive_markers": [ "403", "Forbidden", "Access Denied" ] }, "version_disclosure": { "title": "Software Version Disclosure", "severity": "low", "cwe_id": "CWE-200", "description": "Specific software versions exposed enabling targeted CVE exploitation.", "impact": "Targeted exploitation of known vulnerabilities for the specific version.", "remediation": "1. Remove version from headers\n2. Update software regularly\n3. Remove version-disclosing files\n4. Customize error pages", "has_tester": true, "false_positive_markers": [] }, "weak_encryption": { "title": "Weak Encryption Algorithm", "severity": "medium", "cwe_id": "CWE-327", "description": "Use of weak/deprecated encryption algorithms (DES, RC4, ECB mode).", "impact": "Data decryption, MITM attacks, breaking confidentiality protections.", "remediation": "1. Use AES-256-GCM or ChaCha20\n2. Disable weak cipher suites\n3. Use TLS 1.2+ only\n4. Regular cryptographic review", "has_tester": true, "false_positive_markers": [] }, "weak_hashing": { "title": "Weak Hashing Algorithm", "severity": "medium", "cwe_id": "CWE-328", "description": "Use of weak hash algorithms (MD5, SHA1) for security-critical purposes.", "impact": "Password cracking, hash collision attacks, integrity bypass.", "remediation": "1. Use bcrypt/scrypt/argon2 for passwords\n2. Use SHA-256+ for integrity\n3. Always use salts\n4. Implement key stretching", "has_tester": true, "false_positive_markers": [] }, "weak_random": { "title": "Weak Random Number Generation", "severity": "medium", "cwe_id": "CWE-330", "description": "Predictable random numbers used for security tokens or session IDs.", "impact": "Token prediction, session hijacking, CSRF token bypass.", "remediation": "1. Use cryptographic PRNG (secrets module, SecureRandom)\n2. Avoid Math.random() for security\n3. Use sufficient entropy\n4. Regular token rotation", "has_tester": true, "false_positive_markers": [] }, "cleartext_transmission": { "title": "Cleartext Transmission of Sensitive Data", "severity": "medium", "cwe_id": "CWE-319", "description": "Sensitive data transmitted over unencrypted HTTP connections.", "impact": "Credential theft via MITM, session hijacking, data exposure.", "remediation": "1. Enforce HTTPS everywhere\n2. Implement HSTS with preload\n3. Redirect HTTP to HTTPS\n4. Set Secure flag on cookies", "has_tester": true, "false_positive_markers": [] }, "vulnerable_dependency": { "title": "Vulnerable Third-Party Dependency", "severity": "varies", "cwe_id": "CWE-1104", "description": "Third-party library with known CVEs in use.", "impact": "Depends on specific CVE - from XSS to RCE.", "remediation": "1. Regular dependency updates\n2. Use automated vulnerability scanning\n3. Monitor CVE advisories\n4. Implement SCA in CI/CD", "has_tester": true, "false_positive_markers": [] }, "outdated_component": { "title": "Outdated Software Component", "severity": "medium", "cwe_id": "CWE-1104", "description": "Significantly outdated CMS, framework, or server with multiple known CVEs.", "impact": "Multiple exploitable vulnerabilities, targeted attacks.", "remediation": "1. Update to latest stable version\n2. Enable automatic security updates\n3. Monitor end-of-life announcements\n4. Implement patch management", "has_tester": true, "false_positive_markers": [] }, "insecure_cdn": { "title": "Insecure CDN Resource Loading", "severity": "low", "cwe_id": "CWE-829", "description": "External scripts loaded without Subresource Integrity (SRI) hashes.", "impact": "Supply chain attack via CDN compromise, mass XSS.", "remediation": "1. Add integrity= attribute to script/link tags\n2. Use crossorigin attribute\n3. Self-host critical resources\n4. Implement CSP with hash sources", "has_tester": true, "false_positive_markers": [] }, "container_escape": { "title": "Container Escape / Misconfiguration", "severity": "critical", "cwe_id": "CWE-250", "description": "Container running with elevated privileges or exposed host resources.", "impact": "Host system compromise, lateral movement, data access across containers.", "remediation": "1. Don't use --privileged\n2. Drop unnecessary capabilities\n3. Don't mount Docker socket\n4. Use seccomp/AppArmor profiles", "has_tester": true, "false_positive_markers": [] }, "s3_bucket_misconfiguration": { "title": "S3/Cloud Storage Misconfiguration", "severity": "high", "cwe_id": "CWE-284", "description": "Cloud storage bucket with public read/write access.", "impact": "Data exposure, data tampering, hosting malicious content.", "remediation": "1. Enable S3 Block Public Access\n2. Review bucket policies\n3. Use IAM policies for access\n4. Enable access logging", "has_tester": true, "false_positive_markers": [] }, "cloud_metadata_exposure": { "title": "Cloud Metadata Exposure", "severity": "critical", "cwe_id": "CWE-918", "description": "Cloud instance metadata service accessible exposing credentials.", "impact": "IAM credential theft, cloud account compromise, lateral movement.", "remediation": "1. Use IMDSv2 (token-required)\n2. Block metadata endpoint in firewall\n3. Implement SSRF protection\n4. Use minimal IAM roles", "has_tester": true, "false_positive_markers": [] }, "serverless_misconfiguration": { "title": "Serverless Misconfiguration", "severity": "medium", "cwe_id": "CWE-284", "description": "Serverless function with excessive permissions or missing auth.", "impact": "Unauthorized function execution, environment variable exposure, privilege escalation.", "remediation": "1. Apply least privilege IAM roles\n2. Require authentication\n3. Don't expose secrets in env vars\n4. Implement function authorization", "has_tester": true, "false_positive_markers": [] }, "graphql_introspection": { "title": "GraphQL Introspection Enabled", "severity": "low", "cwe_id": "CWE-200", "description": "GraphQL introspection enabled in production exposing full API schema.", "impact": "Complete API mapping, discovery of sensitive types and mutations.", "remediation": "1. Disable introspection in production\n2. Use persisted queries\n3. Implement field-level authorization\n4. Use query allowlisting", "has_tester": true, "false_positive_markers": [] }, "graphql_dos": { "title": "GraphQL Denial of Service", "severity": "medium", "cwe_id": "CWE-400", "description": "GraphQL endpoint vulnerable to resource-exhaustion via complex/nested queries.", "impact": "Service unavailability, resource exhaustion, increased infrastructure costs.", "remediation": "1. Implement query depth limits\n2. Add query complexity analysis\n3. Set timeout on queries\n4. Use persisted/allowlisted queries", "has_tester": true, "false_positive_markers": [] }, "rest_api_versioning": { "title": "Insecure API Version Exposure", "severity": "low", "cwe_id": "CWE-284", "description": "Older API versions with weaker security controls still accessible.", "impact": "Bypass newer security controls via old API versions.", "remediation": "1. Deprecate and remove old API versions\n2. Apply same security to all versions\n3. Monitor old version usage\n4. Set deprecation timelines", "has_tester": true, "false_positive_markers": [] }, "soap_injection": { "title": "SOAP/XML Web Service Injection", "severity": "high", "cwe_id": "CWE-91", "description": "Injection in SOAP/XML web service parameters manipulating queries.", "impact": "Data extraction, XXE via SOAP, SOAP action spoofing for unauthorized operations.", "remediation": "1. Validate SOAP input\n2. Disable XML external entities\n3. Validate SOAPAction header\n4. Use WS-Security", "has_tester": true, "false_positive_markers": [ "sanitized", "escaped", "encoded" ] }, "api_rate_limiting": { "title": "Missing API Rate Limiting", "severity": "medium", "cwe_id": "CWE-770", "description": "API endpoints lacking rate limiting allowing unlimited requests.", "impact": "Brute force, scraping, DoS, API abuse at scale.", "remediation": "1. Implement rate limiting per user/IP\n2. Return 429 with Retry-After\n3. Use API gateway throttling\n4. Implement sliding window algorithm", "has_tester": true, "false_positive_markers": [] }, "excessive_data_exposure": { "title": "Excessive Data Exposure", "severity": "medium", "cwe_id": "CWE-213", "description": "APIs returning more data than the client needs, including sensitive fields.", "impact": "Exposure of sensitive fields (password hashes, tokens, PII) to clients.", "remediation": "1. Use response DTOs/serializers\n2. Implement field-level filtering\n3. Apply least-data principle\n4. Separate admin and user endpoints", "has_tester": true, "false_positive_markers": [] } }, "category_mappings": { "injection": [ "sqli_error", "sqli_union", "sqli_blind", "sqli_time", "command_injection", "ssti", "nosql_injection", "xxe" ], "xss": [ "xss_reflected", "xss_stored", "xss_dom" ], "file_access": [ "lfi", "rfi", "path_traversal", "file_upload" ], "request_forgery": [ "ssrf", "ssrf_cloud", "csrf" ], "auth": [ "auth_bypass", "jwt_manipulation", "session_fixation" ], "authorization": [ "idor", "bola", "privilege_escalation" ], "client_side": [ "cors_misconfig", "clickjacking", "open_redirect" ], "infrastructure": [ "security_headers", "ssl_issues", "http_methods" ], "logic": [ "race_condition", "business_logic" ] }, "xbow_insights": { "default_credentials": { "description": "XBOW: 15 challenges focused on default/weak credentials", "common_creds": [ [ "admin", "admin" ], [ "admin", "password" ], [ "admin", "123456" ], [ "root", "root" ], [ "root", "toor" ], [ "test", "test" ], [ "user", "user" ], [ "admin", "" ], [ "admin", "admin123" ], [ "administrator", "administrator" ], [ "guest", "guest" ], [ "operator", "operator" ], [ "tomcat", "tomcat" ], [ "manager", "manager" ], [ "postgres", "postgres" ] ], "targets": [ "login pages", "admin panels", "database consoles", "management interfaces" ] }, "deserialization": { "description": "XBOW: 4 challenges on insecure deserialization", "frameworks": [ "pickle", "yaml", "php_serialize", "java_serialized", "json_dotnet" ], "indicators": [ "base64 encoded objects", "serialized data in cookies", "__reduce__", "ObjectInputStream" ] }, "business_logic": { "description": "XBOW: 4 challenges on business logic flaws", "patterns": [ "type_juggling", "race_condition", "mass_assignment", "parameter_pollution" ], "techniques": [ "concurrent requests", "negative values", "type coercion", "hidden parameters" ] }, "idor": { "description": "XBOW: 11 challenges on IDOR/authorization bypass", "techniques": [ "sequential ID enumeration", "UUID prediction", "parameter tampering", "HTTP method switching" ], "indicators": [ "numeric IDs in URLs", "user_id parameters", "object references in API" ] }, "privilege_escalation": { "description": "XBOW: 6 challenges on privilege escalation", "techniques": [ "role parameter manipulation", "admin flag injection", "JWT claim editing", "path-based auth bypass" ] }, "ssti": { "description": "XBOW: 9 challenges on SSTI", "probes": [ "{{7*7}}", "${7*7}", "<%= 7*7 %>", "#{7*7}", "*{7*7}", "{{\"\".__class__}}" ], "frameworks": [ "Jinja2", "Twig", "Freemarker", "Mako", "Velocity", "Smarty", "Pebble" ] }, "path_traversal": { "description": "XBOW: 5 challenges on path traversal/LFI", "bypasses": [ "....//....//etc/passwd", "..%2f..%2f", "..%252f", "..\\..\\", "%2e%2e%2f" ], "targets": [ "/etc/passwd", "/etc/shadow", "C:\\Windows\\win.ini", "/proc/self/environ" ] }, "blind_sqli": { "description": "XBOW: 3 challenges on blind SQL injection", "techniques": [ "boolean-based", "time-based", "out-of-band" ], "detection": [ "response size diff", "timing diff > 5s", "DNS callback" ] }, "verification_methodology": { "description": "XBOW binary verification approach adapted for black-box testing", "principles": [ "Every finding must have concrete HTTP evidence", "Health check target before testing", "Cache and reuse baseline responses", "Multi-signal confirmation (2+ signals = confirmed)", "Never trust AI claims without HTTP evidence", "Reject speculative language in evidence" ] } } }